Global Director, Third-Party Risk Management

The Global Director of Third-Party Risk Management (TPRM) is responsible for establishing, leading, and maturing Grant Thornton’s enterprise-wide Third-Party Risk Management program. This leader oversees the design, implementation, governance, and continuous improvement of the firm’s global TPRM framework, lifecycle processes, risk assessments, due diligence standards, monitoring practices, reporting, and enabling technologies.

This role provides firm-wide leadership to ensure effective management of risks associated with third-party relationships, including information security, privacy, operational resilience, geopolitical, compliance, ESG, financial, reputational, technology, and fourth-party risks. The Director serves as the central point of coordination for third-party risk across global platform firms, service lines, and internal client services (ICS) functions.

The Director partners closely with procurement, legal, information security, privacy, technology, ESG, business continuity, and compliance teams to ensure consistency, alignment to regulatory expectations, and risk-based oversight at scale. The role also drives global stakeholder engagement, training, communication, and adoption of the TPRM operating model, ensuring strong participation and accountability across the enterprise.

Key Responsibilities

1. Program Leadership & Governance

• Lead, maintain, and continuously evolve the enterprise-wide TPRM Framework, ensuring alignment with regulatory requirements, industry standards, and Grant Thornton business objectives. 
• Establish program governance, steering routines, documentation standards, and lifecycle oversight across global service lines and internal support units.
• Translate firm-wide risk appetite and strategic priorities into actionable TPRM policies, procedures, thresholds, and risk-based methodologies.
• Oversee global compliance with the TPRM Policy, supporting audits, regulatory inquiries, QC-1000 / ISQM-1 assessments, and internal assurance activities.

2. Global Risk Assessment & Due Diligence Oversight

• Oversee the design, maintenance, and continual refinement of the Inherent Risk Assessment (IRA), residual risk methodologies, scoring models, and risk domain applicability logic.
• Ensure high-quality, standardized due diligence processes across all risk domains, including information security, privacy, operational resilience, compliance, geopolitical, ESG, financial, fourth-party, reputational, and technology risk areas. 
• Ensure due diligence questionnaires (DDQs), evidence requirements, and domain-specific assessments remain current, risk-aligned, and regulator-ready.
• Oversee the residual risk evaluation process, risk escalation pathways, and formal risk acceptance workflows.

3. Global TPRM Lifecycle Management

• Ensure the TPRM lifecycle is operationalized consistently across all global regions: planning, risk identification, risk assessments, due diligence, contract negotiation support, ongoing monitoring, and renewal/termination. 
• Partner with procurement , IT vendor management , and legal  to ensure seamless integration of TPRM requirements into sourcing, contracting, and vendor management processes.
• Support contract negotiation by ensuring required risk-based terms, SLAs, privacy/security obligations, and geopolitical restrictions are incorporated into agreements.
• Oversee the design and effectiveness of contingency planning requirements for critical third parties.

4. Technology Ownership & Data Governance

• Serve as the business owner of the firm’s TPRM technology (e.g., OneTrust), driving design, enhancements, configurations, workflows, dashboards, and integrations.
• Establish and maintain the inventory of third-party services, risk assessments, metrics, and reporting within the TPRM technology system.
• Ensure the system of record supports consistent execution, documentation, auditability, and enterprise-level analytics.

5. Monitoring, Reporting & Metrics

• Lead the development and delivery of enterprise reporting on inherent/residual risk, concentration risk, domain results, issues and remediation, SLA performance, monitoring completion, and geopolitical exposures. 
• Provide actionable insights and trend analysis to executive leadership and board-level committees.
• Drive remediation oversight and ensure issues are resolved within required timeframes.

6. Stakeholder Engagement & Global Enablement

• Provide training, communication, and change management support for all stakeholders, including domain owners, service lines, support functions, and procurement teams.
• Partner with global platform firms to harmonize TPRM practices and support cross-border vendor oversight.
• Serve as a strategic advisor to senior leadership on emerging risks, regulatory expectations, and transformation opportunities.

7. Continuous Improvement & Future Maturity

• Identify and implement program enhancements aligned to the TPRM Framework’s long-term maturity roadmap (e.g., risk appetite metrics, key risk indicators, additional domains, expanded control testing, independent validation). 
• Evaluate changing regulatory landscapes, including privacy laws, DOJ guidance, OFAC sanctions, technology/cyber regulations, QC-1000/ISQM-1, ESG standards, and global data sovereignty requirements.
• Drive innovation in automation, AI-enabled risk analysis, peer benchmarking, and advanced monitoring tools.

Qualifications

Required

• 10+ years of experience in Third-Party Risk Management, enterprise risk, supplier risk, procurement risk, information security risk, compliance, privacy, or related disciplines.
• Deep understanding of TPRM frameworks, risk domains, TPRM technology platforms, and regulatory expectations for outsourcing and vendor oversight.
• Experience implementing and maturing risk assessment methodologies, DDQs, dashboards, and end-to-end lifecycle processes.
• Strong experience partnering with information security, privacy, legal, procurement, business continuity, and senior leadership teams.
• Demonstrated ability to manage global stakeholders and drive enterprise-scale adoption of complex risk programs.
• Excellent leadership, communication, presentation, and stakeholder-management skills.
• Fluency in English, both spoken and written.
• Strong analytical and problem-solving abilities with demonstrated experience interpreting risk data and producing executive-level insights.

Preferred

• Prior experience in professional services or a regulated industry environment.
• Certification(s) such as: CISM, CRISC, CISA, CISSP, CIPP, PMP, or similar.
• Experience with OneTrust or comparable TPRM platforms.
• Experience supporting QC-1000, ISQM-1, SOX, SOC, ISO 27001, NIST CSF, or similar frameworks.

Personal Attributes

• Strategic thinker with a practical approach to implementing risk-based solutions.
• Skilled at influencing without authority across varied seniority levels and global regions.
• Highly collaborative, proactive, detail-oriented, and solutions-focused.
• Strong judgment, diplomacy, and decisiveness in high-impact risk discussions.